Ransomware-as-a-Service

In an era where software is increasingly being offered “as-a-service”, what prevents cyber gangs from peddling their wares to other extortionists? Apparently nothing.

Lockbit is a newcomer to the ransomware scene, but it has some differentiators. Here’s what an ArsTechnica article has to say:

Many LockBit competitors like Ryuk rely on live human hackers who, once gaining unauthorized access, spend large amounts of time surveying and surveilling a target’s network and then unleash the code that will encrypt it. LockBit worked differently.

“The interesting part about this piece of ransomware is that it is completely self-spreading,” said Patrick van Looy, a cybersecurity specialist at Northwave.

Lockbit is also selective in whom it does not target. The ransomware aborts if it detects that the machine being attacked is in Russia or any of the CIS member nations.

But most intriguing of all, it is offered as a service. And the Lockbit owners seem to have an ethics code too:

LockBit is sold in underground broker forums that often require sellers to put up a deposit that customers can recover in the event the wares don’t perform as advertised. In a testament to their confidence and determination, the LockBit sellers have forked out almost $75,000.

You may be wondering why they don’t simply disappear once the money arrives, instead of releasing the encrypted data, or, in the case of Ransomware-as-a-Service, even returning money when their product fails in the ransomware attack. The answer is simple: it makes more business sense. Their goal is not just one target, but many. In the words of one user who commented on the article, “If one target pays and the files aren’t decrypted, other future targets will hear about it and not pay. The scheme only works long-term if people are able to get their files back.”

A report from Sophos, a security firm, shows how business-savvy these ransomware vendors are:

As with most ransomware, LockBit maintains a forum topic on a well-known underground web board to promote their product. Ransomware operators maintain a forum presence mainly to advertise the ransomware, discuss customer inquiries and bugs, and to advertise an affiliate program through which other criminals can lease components of the ransomware code to build their own ransomware and infrastructure.